diff --git a/2019/hitb/interpreter_from_hell/code.txt b/2019/hitb/interpreter_from_hell/code.txt new file mode 100644 index 0000000..8e7b29d --- /dev/null +++ b/2019/hitb/interpreter_from_hell/code.txt @@ -0,0 +1,265 @@ + +TUOy>urV)B/(Rg)YC]F(dC(_}@ik;o V:Ulw>*FcK:qyd;!U+w +erH-|Mh!ytYcB%vdFoa<)}*FcK:qyd;!U+w +!sj@r_ipa]u~:aMcGJhRY|@: qM:.oQtSE|uHyq/:fh,OM)_C.aY, QhGg<[o/oQIC>lrXBT/@;dx&WfQ +xYJ?s%cWn`|+dfeDH>uF`_xOw QhGg<[o/oQIC>lrXBT/@;dx&WfQ a}YZZUMK@!Hw(sfP}P*Pp|b 38 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bc}cvHcGa,cT{QOG%s)rNT 0x0 +=?rUOWSpY^Rh;]k?cjMa=*PWI&pu Aww%Zd(oH=rR[emwa>beC{v 0 +fq>M=f~g,ls}s Aww%Zd(oH=rR[emwa>beC{v (rv/Dx{Uvm)_QlY&?}I*sNCe QhGg<[o/oQIC>lrXBT/@;dx&WfQ + =?rUOWSpY^Rh;]k?cjMa=*PWI&pu aUn!+yg|BbeC{v + BW&on=JCXoMPT]VA+sF>|ykB}@ aUn!+yg|BbeC{v y|r-J[}cvHcGa,cT{QOG%s)rNT y|r-J[fI>*cQw)% Aww%Zd(oH=rR[emwa>beC{v +Wc^,C/|O..B|HpVxj!X>n` +xYJ?s%cWn`|+dfeDH>uF`_xOw v<{~?b[>}cvHcGa,cT{QOG%s)rNT a}YZZUMK@!Hw(sfP}P*Pp|b 0x966a35fa + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bchx[Qqn 0x61 +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x15 +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 2 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[hx[Qqn 0x6c +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x05 +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 1 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[hx[Qqn 0x67 +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x05 +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 3 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[hx[Qqn 0x28 +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x55 +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 37 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[hx[Qqn 0x66 +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x0e +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 0 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[hx[Qqn 0x3a +/XrShxM)u?ci:`?oBVRm {_v.pppnwSkQFNW.C%K>hx[Qqn 0x41 +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 4 y|r-J[uF`_xOw {_v.pppnwSkQFNW.C%K>hx[Qqn a}YZZUMK@!Hw(sfP}P*Pp|b y|r-J[beC{v 5 +fq>M=f~g,ls}s Aww%Zd(oH=rR[emwa>beC{v (rv/Dx{Uvm)_QlY&?}I*sNCe 21 + e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, Aww%Zd(oH=rR[emwa>beC{v y|r-J[fI>*cQw)% Aww%Zd(oH=rR[emwa>beC{v +Wc^,C/|O..B|HpVxj!X>n` +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 3 WIX{QyNaA+cRf]e_QvZB}^Qvu +e(x~p?&ZlAc)g.CJ=_o|od![S-M qM:.oQtSE|uHyq/:fh,OM)_C.aY, 1 y|r-J[>M=f~g,ls}s $+R@?*h;tj:sq,-Y?CFpr`)< (rv/Dx{Uvm)_QlY&?}I*sNCe 125 + =?rUOWSpY^Rh;]k?cjMa=*PWI&pu }~V=j%mEhhL?iN$U(*q*?= 0 + fq>M=f~g,ls}s }~V=j%mEhhL?iN$U(*q*?= (rv/Dx{Uvm)_QlY&?}I*sNCe 16 + erH-|Mh!ytYcB%vdFoa<)}fI>*cQw)% }~V=j%mEhhL?iN$U(*q*?= + Wc^,C/|O..B|HpVxj!X>n` + =?rUOWSpY^Rh;]k?cjMa=*PWI&pu }~V=j%mEhhL?iN$U(*q*?= 1 + fq>M=f~g,ls}s }~V=j%mEhhL?iN$U(*q*?= (rv/Dx{Uvm)_QlY&?}I*sNCe 16 + =?rUOWSpY^Rh;]k?cjMa=*PWI&pu ]=snx-~/y+V(!g|F`V.)?+J }~V=j%mEhhL?iN$U(*q*?= + m)TIR(?F~^]]&-x/HD,g>!D^ww ]=snx-~/y+V(!g|F`V.)?+J 1 + e(x~p?&ZlAc)g.CJ=_o|od![S-M aM-:sSemflaYVwNbpJ }~V=j%mEhhL?iN$U(*q*?= (mxv)CmjMhD~(!B+Y,hC.h+S + e(x~p?&ZlAc)g.CJ=_o|od![S-M aM-:sSemflaYVwNbpJ ]=snx-~/y+V(!g|F`V.)?+J iDyeq%XwZZDLr)|+WSq + /XrShxM)u?ci:`?oBVRm (mxv)CmjMhD~(!B+Y,hC.h+S iDyeq%XwZZDLr)|+WSq + MwhnzQCnijflgw%OqFx]qq&GGw{ aM-:sSemflaYVwNbpJ }~V=j%mEhhL?iN$U(*q*?= (mxv)CmjMhD~(!B+Y,hC.h+S + r$anf<+$$Hhl*>fI>*cQw)% }~V=j%mEhhL?iN$U(*q*?= + Wc^,C/|O..B|HpVxj!X>n` + r$anf<+$$Hhl*>fI>*cQw)% $+R@?*h;tj:sq,-Y?CFpr`)< +Wc^,C/|O..B|HpVxj!X>n` +erH-|Mh!ytYcB%vdFoa<)}>M=f~g,ls}s }~V=j%mEhhL?iN$U(*q*?= (rv/Dx{Uvm)_QlY&?}I*sNCe 16 + e(x~p?&ZlAc)g.CJ=_o|od![S-M aM-:sSemflaYVwNbpJ }~V=j%mEhhL?iN$U(*q*?= )gxl(ruoh>wR{||:-b`Vp!d+ + e(x~p?&ZlAc)g.CJ=_o|od![S-M )G=Z;d!EPG{Y.yP[h`dvG }~V=j%mEhhL?iN$U(*q*?= J[:hI_Hd/weonQ-+W]ESQ^BjMtL + xYJ?s%cWn`|+dfeDH>uF`_xOw )gxl(ruoh>wR{||:-b`Vp!d+ $N@{(?do}aWbNACu_E!s?Z(wPB J[:hI_Hd/weonQ-+W]ESQ^BjMtL + r$anf<+$$Hhl*>fI>*cQw)% k+WFe@`|C!sy=qea;q^x!B:u=ug + q-d%qMK&l+q-|p]:)bcfI>*cQw)% }~V=j%mEhhL?iN$U(*q*?= +Wc^,C/|O..B|HpVxj!X>n` +xYJ?s%cWn`|+dfeDH>uF`_xOw k+WFe@`|C!sy=qea;q^x!B:u=ug a}YZZUMK@!Hw(sfP}P*Pp|b 16 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 88 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 101 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 84 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 7 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 1 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 10 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b ]U-[FkfZpa}}xGTW[ks/w]C + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 50 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 62 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 81 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 54 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 83 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 10 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 86 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bcuF`_xOw $HIy!Q;b?jCBJfpEwek]-muNi[ARt a}YZZUMK@!Hw(sfP}P*Pp|b 62 + %w}SQ;m&{R}?d@hNADzp@%P+ 0 +q-d%qMK&l+q-|p]:)bc*FcK:qyd;!U+w +create_vector vector_input +c}yFI;uoV[-LUk]u/LHYP=|/D` vector_input V:Ulw>*FcK:qyd;!U+w +sizeof vector_input size_of_input +compare_op size_of_input != 38 + exit 0 +end +mov variable3 0x0 +mov variable6 0 +for_true variable6 < size_of_input + mov variable9 variable6 + modulo variable9 32 + assign_to_3 vector_input variable6 variable4 + shift_left variable4 variable9 + xor variable3 variable4 + plus_one variable6 +end_for +compare_op variable3 != 0x966a35fa + exit 0 +end +mov variable1 0x61 +xor variable1 0x15 +assign_to_3 vector_input 2 variable4 +compare_op variable1 != variable4 + exit 0 +end +mov variable1 0x6c +xor variable1 0x05 +assign_to_3 vector_input 1 variable4 +compare_op variable1 != variable4 + exit 0 +end +mov variable1 0x67 +xor variable1 0x05 +assign_to_3 vector_input 3 variable4 +compare_op variable1 != variable4 + exit 0 +end +mov variable1 0x28 +xor variable1 0x55 +assign_to_3 vector_input 37 variable4 +compare_op variable1 != variable4 + exit 0 +end +mov variable1 0x66 +xor variable1 0x0e +assign_to_3 vector_input 0 variable4 +compare_op variable1 != variable4 + exit 0 +end +mov variable1 0x3a +xor variable1 0x41 +assign_to_3 vector_input 4 variable4 +compare_op variable1 != variable4 + exit 0 +end +create_vector vector_1 +mov variable6 5 +for_true variable6 < 21 + assign_to_3 vector_input variable6 variable4 + push_to_vector vector_1 variable4 + plus_one variable6 +end_for +assign_to_3 vector_input 3 variable15 +assign_to_3 vector_input 1 variable4 +shift_left variable4 16 +xor variable15 variable4 +assign_to_3 vector_input 0 variable4 +shift_left variable4 24 +xor variable15 variable4 +assign_to_3 vector_input 2 variable4 +shift_left variable4 8 +xor variable15 variable4 +random variable15 +mov variable7 0 +for_true variable7 < 125 + mov variable8 0 + for_true variable8 < 16 + create_vector vector_2 + random_vector vector_2 + assign_to_3 vector_1 variable8 variable10 + assign_to_3 vector_2 3 variable11 + xor variable10 variable11 + assign_to_vector vector_1 variable8 variable10 + plus_one variable8 + end_for + mov variable8 1 + for_true variable8 < 16 + mov variable16 variable8 + sub variable16 1 + assign_to_3 vector_1 variable8 variable10 + assign_to_3 vector_1 variable16 variable17 + xor variable10 variable17 + assign_to_vector vector_1 variable8 variable10 + plus_one variable8 + end_for + plus_one variable7 +end_for +create_vector vector_y +push_to_vector vector_y 0x91 +push_to_vector vector_y 0x42 +push_to_vector vector_y 0xdb +push_to_vector vector_y 0x3f +push_to_vector vector_y 0xfa +push_to_vector vector_y 0x17 +push_to_vector vector_y 0x80 +push_to_vector vector_y 0xff +push_to_vector vector_y 0x8d +push_to_vector vector_y 0x75 +push_to_vector vector_y 0x88 +push_to_vector vector_y 0x25 +push_to_vector vector_y 0xaf +push_to_vector vector_y 0x96 +push_to_vector vector_y 0x64 +push_to_vector vector_y 0x63 +mov variable20 0 +mov variable8 0 +for_true variable8 < 16 + assign_to_3 vector_1 variable8 variable18 + assign_to_3 vector_y variable8 variable19 + compare_op variable18 == variable19 + plus_one variable20 + end + plus_one variable8 +end_for +compare_op variable20 != 16 + exit 0 +end +assign_to_3 vector_input 34 variable5 +assign_to_3 vector_input 31 variable21 +xor variable5 variable21 +assign_to_3 vector_input 24 variable21 +xor variable5 variable21 +assign_to_3 vector_input 27 variable21 +xor variable5 variable21 +compare_op variable5 != 88 + exit 0 +end +assign_to_3 vector_input 25 variable5 +assign_to_3 vector_input 26 variable21 +xor variable5 variable21 +assign_to_3 vector_input 32 variable21 +xor variable5 variable21 +compare_op variable5 != 101 + exit 0 +end +assign_to_3 vector_input 36 variable5 +assign_to_3 vector_input 25 variable21 +xor variable5 variable21 +assign_to_3 vector_input 29 variable21 +xor variable5 variable21 +assign_to_3 vector_input 21 variable21 +xor variable5 variable21 +compare_op variable5 != 84 + exit 0 +end +assign_to_3 vector_input 28 variable5 +assign_to_3 vector_input 24 variable21 +xor variable5 variable21 +assign_to_3 vector_input 23 variable21 +xor variable5 variable21 +assign_to_3 vector_input 27 variable21 +xor variable5 variable21 +compare_op variable5 != 7 + exit 0 +end +assign_to_3 vector_input 29 variable5 +assign_to_3 vector_input 31 variable21 +xor variable5 variable21 +assign_to_3 vector_input 35 variable21 +xor variable5 variable21 +assign_to_3 vector_input 36 variable21 +xor variable5 variable21 +compare_op variable5 != 1 + exit 0 +end +assign_to_3 vector_input 36 variable5 +assign_to_3 vector_input 31 variable21 +xor variable5 variable21 +assign_to_3 vector_input 32 variable21 +xor variable5 variable21 +assign_to_3 vector_input 33 variable21 +xor variable5 variable21 +compare_op variable5 != 10 + exit 0 +end +assign_to_3 vector_input 26 variable5 +assign_to_3 vector_input 14 variable21 +compare_op variable5 != variable21 + exit 0 +end +assign_to_3 vector_input 30 variable5 +assign_to_3 vector_input 32 variable21 +xor variable5 variable21 +assign_to_3 vector_input 26 variable21 +xor variable5 variable21 +compare_op variable5 != 50 + exit 0 +end +assign_to_3 vector_input 36 variable5 +assign_to_3 vector_input 33 variable21 +xor variable5 variable21 +assign_to_3 vector_input 22 variable21 +xor variable5 variable21 +compare_op variable5 != 62 + exit 0 +end +assign_to_3 vector_input 30 variable5 +assign_to_3 vector_input 23 variable21 +xor variable5 variable21 +assign_to_3 vector_input 27 variable21 +xor variable5 variable21 +assign_to_3 vector_input 34 variable21 +xor variable5 variable21 +compare_op variable5 != 81 + exit 0 +end +assign_to_3 vector_input 24 variable5 +assign_to_3 vector_input 33 variable21 +xor variable5 variable21 +assign_to_3 vector_input 23 variable21 +xor variable5 variable21 +compare_op variable5 != 54 + exit 0 +end +assign_to_3 vector_input 32 variable5 +assign_to_3 vector_input 30 variable21 +xor variable5 variable21 +assign_to_3 vector_input 34 variable21 +xor variable5 variable21 +assign_to_3 vector_input 21 variable21 +xor variable5 variable21 +compare_op variable5 != 83 + exit 0 +end +assign_to_3 vector_input 28 variable5 +assign_to_3 vector_input 26 variable21 +xor variable5 variable21 +assign_to_3 vector_input 21 variable21 +xor variable5 variable21 +assign_to_3 vector_input 22 variable21 +xor variable5 variable21 +compare_op variable5 != 10 + exit 0 +end +assign_to_3 vector_input 35 variable5 +assign_to_3 vector_input 26 variable21 +xor variable5 variable21 +assign_to_3 vector_input 29 variable21 +xor variable5 variable21 +assign_to_3 vector_input 34 variable21 +xor variable5 variable21 +compare_op variable5 != 86 + exit 0 +end +assign_to_3 vector_input 36 variable5 +assign_to_3 vector_input 27 variable21 +xor variable5 variable21 +assign_to_3 vector_input 33 variable21 +xor variable5 variable21 +compare_op variable5 != 62 + exit 0 +end diff --git a/2019/hitb/interpreter_from_hell/rev.py b/2019/hitb/interpreter_from_hell/rev.py new file mode 100644 index 0000000..8ce432e --- /dev/null +++ b/2019/hitb/interpreter_from_hell/rev.py @@ -0,0 +1,56 @@ +def is_number(s): + try: + s = int(s) + return True + except: + return False + + +def comparision(num1, op, num2): + if op == "$N@{(?do}aWbNACu_E!s?Z(wPB": + return num1 == num2 + elif op == "a}YZZUMK@!Hw(sfP}P*Pp|b": + return num1 != num2 + elif op == "Q/ey{l] num2 + elif op == "(rv/Dx{Uvm)_QlY&?}I*sNCe": + return num1 < num2 + elif op == "myN+OP@llg*aoOPSWU[vc*Y": + return num1 >= num2 + elif op == "JDG!K>WfFrQWlGtwPwM": + return num1 <= num2 + else: + return 0 + + +code = open("code.txt", 'r').read().split('\n') +map1 = map() +map2 = map() +map1_c = map() +map2_c = map() +line_ptr = 0 + +while True: + if line_ptr > len(code): + break + line = code[line_ptr] + code = [] + tokens = line.split(' ') + first_token = token[0] + args = tokens[1:] + + if token == 'xYJ?s%cWn`|+dfeDH>uF`_xOw': # compare(num1, op, num2), num1, num2 could be variables + num1, num2 = 0, 0 + if is_number(args[0]): + num1 = int(args[0]) + else: + num1 = map1[args[0]] + + if is_number(args[2]): + num2 = int(args[2]) + else: + num2 = map1[args[2]] + + comparision(num1, args[1], num2) + scan_line(line_ptr, "$wZD~Vm&PDFl;.K:yQL*vT-", line_indent) + diff --git a/2019/hitb/interpreter_from_hell/solve.py b/2019/hitb/interpreter_from_hell/solve.py new file mode 100644 index 0000000..79ab856 --- /dev/null +++ b/2019/hitb/interpreter_from_hell/solve.py @@ -0,0 +1,66 @@ +from z3 import * +import random + + +arr = [] +for i in range(38): + arr.append(BitVec('var{}'.format(i), 32)) + + +s = Solver() + +for i in range(38): + s.add(arr[i] < 256) + s.add(arr[i] >= 0x30) + +s.add( + (0 ^ (arr[0] << (0)) ^ (arr[1] << (1)) ^ (arr[2] << (2)) ^ (arr[3] << (3)) ^ (arr[4] << (4)) ^ (arr[5] << (5)) ^ (arr[6] << (6)) ^ (arr[7] << (7)) ^ (arr[8] << (8)) ^ (arr[9] << (9)) ^ (arr[10] << (10)) ^ (arr[11] << (11)) ^ (arr[12] << (12)) ^ (arr[13] << (13)) ^ (arr[14] << (14)) ^ (arr[15] << (15)) ^ (arr[16] << (16)) ^ (arr[17] << (17)) ^ (arr[18] << (18)) ^ (arr[19] << (19)) ^ (arr[20] << (20)) ^ (arr[21] << (21)) ^ (arr[22] << (22)) ^ (arr[23] << (23)) ^ (arr[24] << (24)) ^ (arr[25] << (25)) ^ (arr[26] << (26)) ^ (arr[27] << (27)) ^ (arr[28] << (28)) ^ (arr[29] << (29)) ^ (arr[30] << (30)) ^ (arr[31] << (31)) ^ (arr[32] << (0)) ^ (arr[33] << (1)) ^ (arr[34] << (2)) ^ (arr[35] << (3)) ^ (arr[36] << (4)) ^ (arr[37] << (5))) == 0x966a35fa +) +s.add( + arr[2] == (0x61 ^ 0x15), + arr[1] == (0x6c ^ 0x05), + arr[3] == (0x67 ^ 0x05), + arr[37] == (0x28 ^ 0x55), + arr[0] == (0x66 ^ 0x0e), + arr[4] == (0x3a ^ 0x41) +) + +vector_y = [0x91, 0x42, 0xdb, 0x3f, 0xfa, 0x17, 0x80, 0xff, 0x8d, 0x75, 0x88, 0x25, 0xaf, 0x96, 0x64, 0x63] +vector1 = arr[5:21] + +rand = list(map(int, open('rand', 'r').read().split(' ')[:-1])) + +for i in range(125): + for j in range(16): + vector2 = rand[i * 16 + j] # random vector + vector1[j] = vector1[j] ^ (vector2 & 0xff) + for j in range(1, 16): + vector1[j] = vector1[j] ^ vector1[j - 1] + +for i in range(16): + s.add(vector_y[i] == vector1[i]) + +s.add(arr[34] ^ arr[31] ^ arr[24] ^ arr[27] == 88) +s.add(arr[25] ^ arr[26] ^ arr[32] == 101) +s.add(arr[36] ^ arr[25] ^ arr[29] ^ arr[21] == 84) +s.add(arr[28] ^ arr[24] ^ arr[23] ^ arr[27] == 7) +s.add(arr[29] ^ arr[31] ^ arr[35] ^ arr[36] == 1) +s.add(arr[36] ^ arr[31] ^ arr[32] ^ arr[33] == 10) +s.add(arr[26] == arr[14]) +s.add(arr[30] ^ arr[32] ^ arr[26] == 50) +s.add(arr[36] ^ arr[33] ^ arr[22] == 62) +s.add(arr[30] ^ arr[23] ^ arr[27] ^ arr[34] == 81) +s.add(arr[24] ^ arr[33] ^ arr[23] == 54) +s.add(arr[32] ^ arr[30] ^ arr[34] ^ arr[21] == 83) +s.add(arr[28] ^ arr[26] ^ arr[21] ^ arr[22] == 10) +s.add(arr[35] ^ arr[26] ^ arr[29] ^ arr[34] == 86) +s.add(arr[36] ^ arr[27] ^ arr[33] == 62) + +s.check() +ans = s.model() + +result = '' +for i in range(38): + # print(hex(ans[arr[i]].as_long())) + result += chr(ans[arr[i]].as_long()) +print(result) diff --git a/2019/hitb/sweep/sweep.py b/2019/hitb/sweep/sweep.py new file mode 100644 index 0000000..a27e203 --- /dev/null +++ b/2019/hitb/sweep/sweep.py @@ -0,0 +1,152 @@ +import binascii +from capstone import * +from unicorn import * +from unicorn.x86_const import * + +opcode = b"".join( + map( + lambda x: binascii.unhexlify(x.strip()), + """ +55 +89e5 +53 +83e4f0 +83ec10 +c74424050aff0dee +66c74424098903 +c644240b00 +eb01 +d3 +c7 +44 +240c +0000 +0000 +eb46 +8b44240c +0540c00408 +0fb618 +8b4c240c +baabaaaa2a +89c8 +f7ea +89c8 +c1f81f +29c2 +89d0 +01c0 +01d0 +01c0 +29c1 +89ca +0fb6541405 +8b44240c +0540c00408 +31da +8810 +eb01 +a18344240c +01837c240c51 +7eb3 +eb01 +68b840c004 +08ff +d0b800000000 +8b +5d +""".split( + "\n" + ), + ) +) + +data = binascii.unhexlify( + " e1da 3c27 3825 50ad 8ddc be41 e805 3c2e 3907 3b24 beef d032 d84d 2b23 0932 ca4f 0cdf 52b0 0b32 8d06 5ffc f500 52b0 ca56 46ad 5eeb 8600 0bfa 08eb 8602 0efd 09bf 8f01 0eac 08bd 890d 5cfc 0cba 8a57 09fe 0ea4 0000 ffff ffff ffff ffff ffff ffff ".replace( + " ", "" + ) +) + +md = Cs(CS_ARCH_X86, CS_MODE_32) + + +def disas(opcode, addr): + for i in md.disasm(opcode, addr): + print("0x%x:\t%s\t%s" % (i.address, i.mnemonic, i.op_str)) + + +continueAddr = "" +isContinue = False + + +def prompt(uc, address, size, user_data): + global continueAddr + global isContinue + while True: + cmd = input(">>> ") + if cmd == "q": + exit() + if cmd == "": + break + if "p" == cmd[0]: + _, reg = cmd.split(' ') + if reg == "eax": + pass + continue + if "c" == cmd[0]: + _, addr = cmd.split(' ') + continueAddr = int(addr, 16) + isContinue = True + break + try: + print(eval(cmd)) + except BaseException: + print("exception") + +# callback for tracing memory access (READ or WRITE) +def hook_mem_access(uc, access, address, size, value, user_data): + if access == UC_MEM_WRITE: + print( + ">>> Memory is being WRITE at 0x%x, data size = %u, data value = 0x%x" + % (address, size, value) + ) + else: # READ + print(">>> Memory is being READ at 0x%x, data size = %u" % (address, size)) + + +def hook_code(uc, address, size, user_data): + global continueAddr + global isContinue + # print(">>> Tracing instruction at 0x%x, instruction size = 0x%x" % (address, size)) + opcode = mu.mem_read(address, size) + for i in md.disasm(opcode, address): + print("%x bytes 0x%x:\t%s\t%s" % (size, i.address, i.mnemonic, i.op_str)) + pass + + if address == int("0x804c04e", 16): + print('flag: ' + mu.mem_read(134529132, 38).decode()) + # print(mu.mem_read(0x0804C040, 0x100)) + + if isContinue: + if address != continueAddr: + return + isContinue = False + + # prompt(uc, address, size, user_data) + + +mu = Uc(UC_ARCH_X86, UC_MODE_32) +mu.mem_map(0x08040000, 0xC * 1024 * 1024) + +mu.mem_write(0x08049166, opcode) +mu.mem_write(0x0804C040, data) + +# mu.hook_add(UC_HOOK_MEM_WRITE, hook_mem_access) +# mu.hook_add(UC_HOOK_MEM_READ, hook_mem_access) +mu.hook_add(UC_HOOK_CODE, hook_code) + +mu.reg_write(UC_X86_REG_ESP, 0x08040000 + 0x200000) +# mu.reg_write(UC_X86_REG_EIP, 0x08049166) +try: + mu.emu_start(0x08049166, len(opcode)) +except: + exit() \ No newline at end of file diff --git a/2019/hitb/sweep/sweep.txt b/2019/hitb/sweep/sweep.txt new file mode 100644 index 0000000..19ebc09 --- /dev/null +++ b/2019/hitb/sweep/sweep.txt @@ -0,0 +1,135 @@ +$ r2 sweep 2345ms + -- I did it for the pwnz. +[0x08049050]> iI +arch x86 +baddr 0x8048000 +binsz 14345 +bintype elf +bits 32 +canary false +class ELF32 +compiler GCC: (GNU) 9.1.0 +crypto false +endian little +havecode true +intrp /lib/ld-linux.so.2 +laddr 0x0 +lang c +linenum true +lsyms true +machine Intel 80386 +maxopsz 16 +minopsz 1 +nx false +os linux +pcalign 0 +pic false +relocs true +relro partial +rpath NONE +sanitiz false +static false +stripped false +subsys linux +va true + +[0x08049050]> aa +[x] Analyze all flags starting with sym. and entry0 (aa) +[0x08049050]> afi main +# +offset: 0x08049166 +name: main +size: 140 +is-pure: false +realsz: 137 +stackframe: 24 +call-convention: cdecl +cyclomatic-cost : 52 +cyclomatic-complexity: 2 +bits: 32 +type: sym [NEW] +num-bbs: 7 +edges: 7 +end-bbs: 1 +call-refs: 0x08049187 J 0x080491d7 J 0x080491d2 J 0x080491e1 J +data-refs: 0x0804c040 +code-xrefs: 0x08049184 J 0x080491cf J 0x0804918f J 0x080491de J +in-degree: 4 +out-degree: 0 +data-xrefs: 0x0804907a 0x08049080 +locals: 5 +args: 0 +var int32_t var_4h @ ebp-0x4 +var int32_t var_5h @ esp+0x5 +var int32_t var_9h @ esp+0x9 +var int32_t var_bh @ esp+0xb +var int32_t var_ch @ esp+0xc +diff: type: new +[0x08049050]> af- main +[0x08049050]> pD 137@main + ;-- main: + 0x08049166 55 push ebp + 0x08049167 89e5 mov ebp, esp + 0x08049169 53 push ebx + 0x0804916a 83e4f0 and esp, 0xfffffff0 + 0x0804916d 83ec10 sub esp, 0x10 + 0x08049170 c74424050aff0dee mov dword [esp + 5], 0xee0dff0a + 0x08049178 66c74424098903 mov word [esp + 9], 0x389 + 0x0804917f c644240b00 mov byte [esp + 0xb], 0 + ,=< 0x08049184 eb01 jmp 0x8049187 + | 0x08049186 d3c7 rol edi, cl + 0x08049188 44 inc esp + 0x08049189 240c and al, 0xc + 0x0804918b 0000 add byte [eax], al + 0x0804918d 0000 add byte [eax], al + ,=< 0x0804918f eb46 jmp 0x80491d7 + .--> 0x08049191 8b44240c mov eax, dword [esp + 0xc] + :| 0x08049195 0540c00408 add eax, 0x804c040 + :| 0x0804919a 0fb618 movzx ebx, byte [eax] + :| 0x0804919d 8b4c240c mov ecx, dword [esp + 0xc] + :| 0x080491a1 baabaaaa2a mov edx, 0x2aaaaaab + :| 0x080491a6 89c8 mov eax, ecx + :| 0x080491a8 f7ea imul edx + :| 0x080491aa 89c8 mov eax, ecx + :| 0x080491ac c1f81f sar eax, 0x1f + :| 0x080491af 29c2 sub edx, eax + :| 0x080491b1 89d0 mov eax, edx + :| 0x080491b3 01c0 add eax, eax + :| 0x080491b5 01d0 add eax, edx + :| 0x080491b7 01c0 add eax, eax + :| 0x080491b9 29c1 sub ecx, eax + :| 0x080491bb 89ca mov edx, ecx + :| 0x080491bd 0fb6541405 movzx edx, byte [esp + edx + 5] + :| 0x080491c2 8b44240c mov eax, dword [esp + 0xc] + :| 0x080491c6 0540c00408 add eax, 0x804c040 + :| 0x080491cb 31da xor edx, ebx + :| 0x080491cd 8810 mov byte [eax], dl + ,===< 0x080491cf eb01 jmp 0x80491d2 + |:| 0x080491d1 a18344240c mov eax, dword [0xc244483] + :| 0x080491d6 01837c240c51 add dword [ebx + 0x510c247c], eax + `==< 0x080491dc 7eb3 jle 0x8049191 + ,=< 0x080491de eb01 jmp 0x80491e1 + | 0x080491e0 68b840c004 push 0x4c040b8 + 0x080491e5 08ff or bh, bh + 0x080491e7 d0b800000000 sar byte [eax], 1 + 0x080491ed 8b invalid + 0x080491ee 5d pop ebp +[0x08049050]> px 256@0x804c000 +- offset - 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF +0x0804c000 0cbf 0408 0000 0000 0000 0000 4690 0408 ............F... +0x0804c010 0000 0000 0000 0000 0000 0000 0000 0000 ................ +0x0804c020 0000 0000 0000 0000 0000 0000 0000 0000 ................ +0x0804c030 0000 0000 0000 0000 0000 0000 0000 0000 ................ +0x0804c040 e1da 3c27 3825 50ad 8ddc be41 e805 3c2e ..<'8%P....A..<. +0x0804c050 3907 3b24 beef d032 d84d 2b23 0932 ca4f 9.;$...2.M+#.2.O +0x0804c060 0cdf 52b0 0b32 8d06 5ffc f500 52b0 ca56 ..R..2.._...R..V +0x0804c070 46ad 5eeb 8600 0bfa 08eb 8602 0efd 09bf F.^............. +0x0804c080 8f01 0eac 08bd 890d 5cfc 0cba 8a57 09fe ........\....W.. +0x0804c090 0ea4 0000 ffff ffff ffff ffff ffff ffff ................ +0x0804c0a0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +0x0804c0b0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +0x0804c0c0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +0x0804c0d0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +0x0804c0e0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +0x0804c0f0 ffff ffff ffff ffff ffff ffff ffff ffff ................ +[0x08049050]> \ No newline at end of file